California Consumer Privacy Act Will Impose New Obligations on Businesses that Collect Consumer Data from California Residents
In California − the World’s seventh largest economy and a state that comprises roughly 40 million people − state lawmakers have passed a new law that aims to protect the privacy of consumers, and specifically details new notice requirements for those businesses that are collecting data from consumers on the web or even through conventional means at their brick-and-mortar locations.
On January 1, 2020, the California Consumer Privacy Act (CCPA) goes into effect, granting an increased right of privacy to consumers for the collection and sale of personal information. Similar bills have been proposed in Hawaii, Maryland, Massachusetts, New Mexico, Rhode Island and Washington. The new law gives consumers the right to ask businesses what types and categories of information they are collecting, requires businesses to disclose their purpose for collecting and selling the information, and provides consumers with a mechanism to exercise the option to opt out of the collection and delete any of their personal information already collected. This new law will, of course, affect as well the consumer product manufacturers that are collecting the personal information of their California consumers for warranty purposes.
The California Attorney General proposed regulations for the CCPA on October 10, 2019, which not only provide guidance to businesses for compliance but also imposes additional requirements not found in the CCPA. These regulations are set to be enforced beginning July 1, 2020. With the landscape of this legislation continuously moving, it is vital that businesses remain informed and proactive in their compliance.
The CCPA requires businesses to provide a Notice at Collection, which must be given to the consumer at or before any personal information is collected, and a Notice of Right to Opt Out of Sale, which must be clearly posted on the businesses’ webpage in conjunction with a “Do Not Sell My Personal Information” link. While businesses may not discriminate against a consumer for their decision to opt out, businesses may offer financial incentives to those consumers who do permit the collection of their personal information. Additional notice is required when businesses expand or alter the information being collected. The proposed regulations also require notice even where information is collected offline at brick-and-mortar stores.
A significant additional requirement proposed by the regulations requires businesses to acknowledge a consumer’s browser plug-ins and privacy settings as a communication exercising the right to opt out, and potentially a reversal of a consumer’s previous request to opt out. There is little guidance on how businesses should go about monitoring consumers’ browser settings, leaving much of the onus on businesses to develop and implement methods to avoid missing a consumer’s opt-out designation.
In addition to the notice requirements, the other main components of the CCPA and accompanying regulations are Right to Know and Right to Delete requests. Consumers have a right to request, and businesses have a duty to disclose, the categories and specific pieces of information being collected, the sources from which this information is collected, the purposes for collecting and selling this information, and the identity of third parties to whom this information is sold. Businesses must offer consumers at least two methods of submitting these requests. All requests must be verified, and the regulations offer a two-step process that satisfies compliance. The regulations also mandate that all unverified Requests to Delete be treated as Requests to Opt Out. Finally, a record of all requests and responses must be retained by businesses for at least 24 months.
This brief summary makes clear that states are becoming increasingly serious regarding the protection of consumers’ privacy rights, while the responsibility of businesses to protect these rights is becoming more and more onerous in turn. With the deadline for written comments to the proposed regulations set for December 6, 2019, it is all but certain that amendments, additions and supplements will be released. We will continue to monitor this legislation and report as the regulations evolve.